Ask the Right Questions: Advice to CEOs and CISOs Addressing the State of the Art Paradox

As we’ve previously discussed, the Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR), which will be introduced in 2018, include among their requirements the concept of “state of the art.” This means that organizations must take into account technologies and practices that are state of the art in security when deciding how to invest in mitigating risks associated with data protection (in the case of GDPR) and the protection of essential services that have a dependency on network and information systems (in the case of the NIS directive).

Overall, the new requirement for state of the art is a positive, giving opportunity to re-architect security capability with a focus on better mitigating cyber risks and thus preventing successful data breaches, but it’s apparent that many organizations are still working out what this means for them. We’ve recently commissioned IDC to conduct research into how businesses in Europe perceive the upcoming requirements.

The results can be found in the IDC white paper, “The State of the Art Paradox” (August 2016). The study found that many don’t have a clear understanding of the concept of state of the art, have no processes or metrics in place to measure their alignment with it, and lack a form of review of their position on it with sufficient frequency.

By exploring these areas, the white paper noted that a concept termed “the state of the art paradox” emerged: How can organizations know that they are ready for the NIS directive and/or GDPR when they cannot describe their process of defining, measuring and reviewing state of the art?

The research, conducted among IT decision-makers in France, Germany, Italy, Spain and the U.K., highlighted a number of points of interest:

  • Readiness: With the legislation being introduced in 2018, 58% of organizations believe they are already ready for NIS, with 34% saying that efforts are underway and that they expect to be ready on time, and 6% say they have started but might not be ready. This compares to 40% of organizations who think they are ready for GDPR and 45% who believe they will be ready by 2018. However, with the NIS directive, only 1% of organizations thought they would not be ready, contrasting with 13% for GDPR.
  • Measurement: When asked if they have a process for measuring state of the art, and if so, how often they review it, most respondents cite reliance on regular audits or external expertise to evaluate state of the art. No organizations indicated that they had defined their security posture, implemented a structured analysis of data types to be protected or established a reference architecture to evaluate against.
  • Review: When it came to how often companies repeat the evaluation process, most (52%) review annually, with the question here being whether this is sufficient given the rapid advancement of technology and the growth in the number and type of security attacks. Of the respondents, 26% review either quarterly or half-yearly, which suggests that these organizations will be able to keep up to date with technology developments as they occur. Only a tiny proportion (2%) review their position on state of the art continuously or at least monthly – an impressive degree of regularity.
  • Top concerns with GDPR: Risk to brand from mandatory breach notifications emerged as the major headache for European organizations, with 51% of survey respondents noting it as a concern, followed jointly by the risk of distraction from more important security topics and cost, both of which were cited by 48% of respondents. Other concerns noted were the potential for over-delivering on compliance (38%), fines for non-compliance (36%), ensuring compliance for data transfers across borders (36%) and the inability to make data transfers to chosen providers (31%).

With time continuing to move on and 2018 getting ever-closer, action is needed to make sure that compliance requirements do not hamstring European organizations as the NIS Directive and GDPR are introduced. Getting past the state of the art paradox will be key in ensuring a baseline level of understanding of current and required adherence to state of the art.

IDC has defined some fundamental questions that CEOs and CISOs need to ask in order to overcome the apparent knowledge gap that exists across Europe.


  • Does GDPR or the NIS Directive, or both, apply to your organization?
  • Who is best placed within your organization to answer questions on compliance?
  • Which external organizations can be relied on to give authoritative insight into the requirements?
  • What is the timescale to reach compliance, and what actions need to be taken now in order to achieve compliance by the deadlines?
  • What budget have you allocated for compliance? How did you set this figure, where are your key resource challenges, and how will you measure the effective use of your investment?


  • Is your board taking compliance with the NIS Directive and/or GDPR seriously? How can you gain its attention, and what do you tell them about your organization’s current approach to compliance?
  • Who in the business should provide support or sponsorship? Who are the stakeholders in achieving and maintaining the requirements and who will be responsible for the business risk?
  • What is the company view on state of the art security? How did you define it and who advised you on this?
  • What is the process for measuring existing security capability against your view of state of the art, and how often should this be reviewed?
  • What processes need to be implemented now, and in what timescale, so that the organization has a realistic chance of implementing state of the art security capability?

For more information, read the IDC white paper, “The State of the Art Paradox”, sponsored by Palo Alto Networks.

About the Research

IDC conducted research of companies with more than 250 employees based in France, Germany, Italy, Spain and the United Kingdom. A total of 650 interviews were conducted across a broad section of vertical industries and public sector functions, with decision-makers and influencers on IT security, risk, compliance and IT management. The research was conducted in April and May 2016.